CVE-2020-26278

Name of the Vulnerable Software and Affected Versions: Weave Net versions prior to 2.8.0

Description: Weave Net is open source software that creates a virtual network connecting Docker containers across multiple hosts and enables their automatic discovery. A vulnerability in Weave Net before version 2.8.0 can allow an attacker to take over any host in the cluster. The manifest that runs pods on every node in a Kubernetes cluster sets privileged: true and hostPID: true, giving it significant power over the host. However, the hostPID: true setting is not necessary and is being removed. This vulnerability can be exploited if there is an additional vulnerability, such as a bug in Kubernetes, or a misconfiguration that allows an attacker to run code inside the Weave Net pod. No such bug is known, and there are no known instances of this being exploited.

Recommendations: For Weave Net versions prior to 2.8.0, update to version 2.8.0 to remove the hostPID setting and move CNI plugin install to an init container. As a temporary workaround, edit the hostPID line in the existing DaemonSet manifest to say false instead of true, arrange some other way to install CNI plugins, and remove those mounts from the DaemonSet manifest.